A critical remote code execution vulnerability in n8n, a popular open-source workflow automation platform, threatens over 103,000 potentially vulnerable instances worldwide.
Tracked as CVE-2025-68613 with a maximum CVSS severity score of 9.9, the flaw allows authenticated attackers to execute arbitrary code with n8n process privileges, risking complete instance compromise.
| Field | Description |
|---|---|
| CVE-ID | CVE-2025-68613 |
| CVSS Score | 9.9 (Critical Severity) |
| Vulnerability Type | Remote Code Execution (RCE) |
| Attack Vector | Network |
Disclosed on December 19, 2025, the vulnerability stems from insufficient isolation in n8n’s workflow expression evaluation system.
Authenticated users can supply specially crafted expressions during workflow configuration that bypass execution context protections, enabling arbitrary code execution on the underlying runtime.
Successful exploitation grants attackers unauthorized access to sensitive data, workflow modification capabilities, and system-level operation execution effectively compromising the entire automation infrastructure.
Vulnerability Details and Attack Vector
The flaw impacts n8n versions starting from 0.211.0 through version 1.120.3, 1.121.0, and earlier 1.122.x releases.
Security researchers at SecureLayer7 have already published proof-of-concept (PoC) code, though no active exploitation has been documented at the time of writing.
The authenticated nature of the attack means threat actors would require valid credentials to exploit the vulnerability, but this doesn’t diminish risk in environments where workflow editing permissions are broadly distributed.
The vulnerability’s severity stems from the execution context’s privileged position within n8n deployments.
n8n released patched versions to address this critical vulnerability: 1.120.4, 1.121.1, and 1.122.0 and later. Organizations should upgrade immediately to one of these patched releases.
The company emphasizes urgent remediation given the flaw’s severity and the large attack surface represented by over 103,000 potentially exposed instances.
For organizations unable to patch immediately, n8n recommends temporary mitigations: restrict workflow creation and editing permissions to fully trusted users only, and deploy n8n in hardened environments with minimal operating system privileges and restricted network access.
However, these measures provide incomplete protection and should serve only as short-term emergency controls pending proper patching.
Censys identified 103,476 potentially vulnerable n8n instances across the internet, distributed globally with varying concentration by region.
This widespread exposure underscores the platform’s significant adoption within enterprise automation ecosystems, particularly among organizations managing complex multi-system workflows.
The vulnerability represents a significant supply chain risk compromised n8n instances could serve as pivots into upstream and downstream systems, affecting not just the organization running automation but entire connected digital ecosystems.
Security teams should immediately identify n8n deployments within their environment, verify current version numbers, and prioritize upgrades to patched versions.
Organizations leveraging n8n for critical business processes should treat this vulnerability as an urgent security incident requiring immediate executive attention and resource allocation.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.